Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reliability of signatures

From: Martin Holste <mcholste () gmail com>
Date: Fri, 4 Feb 2011 12:45:15 -0600
Personally, I'd like to know what
the most important (as measured, perhaps, as the most hits)


Ok, hang on--I'd actually say that you can get a pretty good idea of
the most important signatures by sorting them in ascending order by
hits.  The higher the number of hits, the greater probability that
each hit is an FP and the signature isn't helpful.  Important caveats
would be for the sigs that aren't alerting on "bad" traffic, but
traffic that is usually good unless it's from a certain IP address
(JAR files, exe files, etc.) or SCAN signatures.  That nuance actually
makes this kind of hard to do in a helpful way.

It's for this reason that I want the manual submissions, not based on logs.

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: